Avoidable Risk

Not fully understanding or improperly using applications that protect your privacy and allow you to bypass censorship can seriously affect your online security. A researcher recently revealed that he was able to gather sensitive data including the user names and passwords of government email accounts by snooping on the traffic of five Tor exit nodes he controlled. If you are not using end to end encryption the Tor exit node can see your traffic in plain text. as the researcher notes:

ToR isn’t the problem, just use it for what it’s made for.

This reminds me of the “trick” a lot of people use in which they set up an email account but don’t actually send email but rather just store email in the drafts folder thinking that this protects them from government surveillance. Unless the full session is encrypted, and many using this technique are using web mail account which only encrypt the login not the rest of the traffic, it can still be snooped even though you are not “sending” the email.

2 comments.

Wow, that is problematic. On the prevention measures side of things, this script for Greasemonkey will ensure that all of Firefox’s traffic to Gmail is HTTPS. You could always access Gmail via HTTPS by explicitly specifying it in the URL, but for the absent-minded this script makes sure you’re talking HTTPS any time you use the service, for the entire session. I’d highly recommend it for any Gmail user who uses public/commercial Wi-Fi networks regularly, not to mention Tor users concerned about anonymity.